October is Cyber Security Awareness Month, a time for the business community to reflect on the ever-evolving digital landscape and the importance of safeguarding their digital assets; for we insurance professionals, it’s an opportunity to raise awareness about this issue within our networks.
In Australia, the adoption of cyber insurance by businesses has been comparably low to other developed economies such as the United States and Europe, with the Insurance Council of Australia estimating that only about 20% of SMEs and 35-70% of larger businesses have standalone cyber insurance. While there is no definitive reason why the take up is lower in our region, historical contributing factors may include:
- Softer privacy regulations and enforcement comparative to other jurisdictions
- Low risk of data breach litigation and class actions due to difficulties in demonstrating the incurring of loss
- Elements of cyber cover being included in other insurance policies e.g silent cyber coverage and cyber extensions
- Low cyber-attack activity
These factors are quickly disappearing:
- The Australian Federal government recent release of their responses to the Privacy Act Review Report has signalled that change is on the horizon. With new obligations for collecting personal information, the potential removal of exemption of businesses with a turnover less than $3 million and more power is provided to the regulators.
- Several class actions are on foot, post large public data breaches.
- Insurers are being questioned by regulators in respect of their cyber exposures across their non-cyber stand-alone portfolios: such focus from the UK’s Prudential Regulation Authority has resulted in the Lloyds of London mandating that “all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage”.
- Australia is now constantly in the top 10 countries for ransomware attacks upon businesses.
Insurance brokers play a pivotal role in not just helping their clients secure appropriate cyber insurance coverage but also by providing general cyber education and risk management advice. An insurance broker that provides guidance to their clients can achieve much better results than those that just ask for an application to be completed.
Here are some essential tips to ensure your clients’ cybersecurity measures are up to scratch before submitting applications to insurers.
- Multifactor Authentication (MFA) should be enabled. MFA on email and on computer remote access is a major roadblock for cyber criminals and is a minimum requirement for cover for most insurers. We have written a whitepaper on MFA and you can read it here.
- Backup company information regularly to offline external storage devices or dedicated cloud backup solutions. The ability to restore from backups is an essential component of business continuity planning (BCP) and for meeting Recovery Time Objectives (RTO’s) and must be separated from the clients’ computer network to avoid the compromise of the network and the backups at the same time.
- Cyber Awareness Training should be conducted for all staff. This is the best defence against email scams and malware: giving employees the capability to detect suspicious activity.
When presenting cyber insurance quotations to clients, it is important that insurance brokers explain the benefits to clients which are in addition to the insurance coverage that they receive from reputable insurers, including:
- Access to experienced cyber claims staff who have handled numerous cyber incidents
- Access to insurer vendor panels where the vendors are tried and tested with pre-agreed competitive rates
- Insurers have a mutual interest to minimise the impact to their insureds’ business
- Insurers have the capability to commence recovery actions from parties that have contributed to the cyber incident and if successful can lower the amounts claimed under the policy and potentially return any deductable payments incurred by the insured thereby resulting in a better claims history.